• Like
Solving the Open Source Security Puzzle
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Solving the Open Source Security Puzzle

  • 408 views
Published

Presentation at Cornerstones of Trust 2013 security conference.

Presentation at Cornerstones of Trust 2013 security conference.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
408
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
14
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. June 18, 2013 – Securing Ubiquity Vic Hargrave JB Cheng Santiago González Bassett
  • 2. Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 18, 2013 – Securing Ubiquity 2
  • 3. Log Normalization  Syslog  Comes default within *Nix operating systems.  Sylog-NG  Can be installed in various configurations to take the place of default syslog.  Free to use or enterprise version available for purchase.  Many configuration types to export data.  OSSEC  Free to use  Can export via syslog to other systems. June 18, 2013 – Securing Ubiquity 3
  • 4. Solving the Open Source Security Puzzle  What are the standards?  Why choose one product over another?  How do the various security components work together?  How does this work in the real world, real examples. June 18, 2013 – Securing Ubiquity 4
  • 5. June 18, 2013 – Securing Ubiquity 5 Understanding Rules  Customizable rulesets - Enable a security practitioner to add true intelligence of their environment.
  • 6. Host Event Detection AIDE(Advanced Intrusion Detection Environment) June 18, 2013 – Securing Ubiquity 6
  • 7. Network Detection Systems June 18, 2013 – Securing Ubiquity 7
  • 8. June 18, 2013 – Securing Ubiquity 8 Event Management
  • 9. What is ?  Open Source SECurity  Open Source Host-based Intrusion Detection System  Provides protection for Windows, Linux, Mac OS, Solaris and many *nix systems  http://www.ossec.net  Founded by Daniel Cid  Current project managers – JB Cheng and Vic Hargrave June 18, 2013 – Securing Ubiquity 9
  • 10. OSSEC Capabilities  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active Response June 18, 2013 – Securing Ubiquity 10
  • 11. HIDS Advantages  Monitors system behaviors that are not evident from the network traffic  Can find persistent threats that penetrate firewalls and network intrusion detection/prevention systems June 18, 2013 – Securing Ubiquity 11
  • 12. tail -f $ossec_alerts/alerts.log June 18, 2013 – Securing Ubiquity 12 OSSEC Server OSSEC Agents logs UDP 1514 logs UDP 1514 OSSEC Architecture alerts
  • 13. File Integrity Alert Sample ** Alert 1365550297.8499: mail - ossec,syscheck, 2013 Apr 09 16:31:37 ubuntu->syscheck Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels' June 18, 2013 – Securing Ubiquity 13
  • 14. Log Analysis Alert Sample ** Alert 1365514728.3680: mail - syslog,dpkg,config_changed, 2013 Apr 09 06:38:48 ubuntu->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2013-04-09 06:38:47 status installed linux-image-3.2.0-40-generic-pae 3.2.0-40.64 June 18, 2013 – Securing Ubiquity 14
  • 15. PCI DSS Requirement  10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)  11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly June 18, 2013 – Securing Ubiquity 15
  • 16.  Annual gathering of OSSEC users and developers.  Community members discuss how they are using OSSEC, what new features they would like and set the roadmap for future releases.  OSSEC 2.7.1 soon to be released.  Planning for OSSEC 3.0 is underway.  OSSECCON 2013 will be held Thursday July 25th at Trend Micro’s Cupertino office.  Please join us there! June 18, 2013 – Securing Ubiquity 16
  • 17. June 18, 2013 – Securing Ubiquity Santiago González Bassett santiago@alienvault.com @santiagobassett Alien Vault 17
  • 18. About me  Developer, systems engineer, security administrator, consultant and researcher in the last 10 years.  Member of OSSIM project team since its inception.  Implemented distributed Open Source security technologies in large enterprise environments for European and US companies. June 18, 2013 – Securing Ubiquity http://santi-bassett.blogspot.com/ @santiagobassett 18
  • 19. What is OSSIM? OSSIM is the Open Source SIEM – GNU GPL version 3.0  With over 195,000 downloads it is the most widely used SIEM in the world.  Created in 2003, is developed and maintained by Alien Vault and community contributors.  Provides Unified and Intelligent Security. June 18, 2013 – Securing Ubiquity http://communities.alienvault.com/ 19
  • 20. Why OSSIM? Because provides security Intelligence  Discards false positives  Assesses the impact of an attack  Collaboratively learns about APT June 18, 2013 – Securing Ubiquity Because Unifies security management  Centralizes information  Integrates threats detection tools 20
  • 21. OSSIM integrated tools June 18, 2013 – Securing Ubiquity Assets  nmap  prads Behavioral monitoring  fprobe  nfdump  ntop  tcpdump  nagios Vulnerability assessment  osvdb  openvas Threat detection  ossec  snort  suricata 21
  • 22. OSSIM +200 Collectors June 18, 2013 – Securing Ubiquity 22
  • 23. OSSIM Architecture June 18, 2013 – Securing Ubiquity Configuration & Management Normalized Events 23
  • 24. OSSIM Anatomy of a collector June 18, 2013 – Securing Ubiquity 24 [apache-access] event_type=event regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id} [Raw log] 76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
  • 25. OSSIM Reliability Assessment June 18, 2013 – Securing Ubiquity 25 SSH Failed authentication event SSH successful authentication event 10 SSH Failed authentication events 100 SSH Failed authentication events Persistent connections SSH successful authentication event 1000 SSH Failed authentication events SSH successful authentication event Reliability
  • 26. OSSIM Risk Assessment June 18, 2013 – Securing Ubiquity 26 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25 Source Destination Event Priority = 2 Event Reliability = 10 Asset Value = 2 Asset Value = 5
  • 27. OSSIM & OSSEC Integration June 18, 2013 – Securing Ubiquity  Web management interface  OSSEC alerts plugin  OSSEC correlation rules  OSSEC reports 27
  • 28. OSSIM Deployment June 18, 2013 – Securing Ubiquity PORT MIRRORING SYSLOG WMI WMI SYSLO`G SDEE SYSLOG OPSEC FTP SDEE OPSEC SYSLOG OSSECSCP SQL SAMBA SYSLOG SDEE SYSLOG SNMP SYSLOG LOG COLLECTION NORMALIZED EVENTS SENSOR 1 SENSOR 2 SENSOR 3 NORMALIZED DATA SERVER SYSLOG 28
  • 29. OSSIM Attack Detection June 18, 2013 – Securing Ubiquity Attack Attacker X.X.X.X Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt Vulnerability: IIS Remote Command Execution Alert: Low reputation IPOTX Alert: IIS attack detected Target Y.Y.Y.Y 29
  • 30. OSSIM Demo Use Cases Detection & Risk assessment  OTX  Snort NIDS  Logical Correlation  Vulnerability assessment  Asset discovery Correlating Firewall logs:  Cisco ASA plugin  Network Scan detection Correlating Windows Events:  OSSEC integration  Brute force attack detection June 18, 2013 – Securing Ubiquity 30
  • 31. June 18, 2013 – Securing Ubiquity 31 Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you Santiago Gonzalez Bassett santiago@alienvault.com @santiagobassett Alien Vault